Cryptographic Nonsenseware
A new malware variant by the name Gpcode.ak has been raising eyebrows in the security community. Upon infecting a computer, the trojan will encrypt the user’s documents, leaving a text file which demands money in exchange for a decryption key.
There are no new ideas here: encryption malware has been around for the better part of a decade, Adam Young and Moti Yung wrote a book about cryptovirology in 2004, and even Gpcode itself has been around since 2005, albeit with a far more primitive approach to encryption that the current incarnation.
The latest instance gets the crypto mostly right: it creates a unique 128-bit RC4 (Arcfour) key on each machine and uses a random initialization vector for each file it targets. The IV is written to the beginning of the file, encrypted by the per-machine key, run through MD5, and the output constitutes the per-file key, used to encrypt each file with RC4. At the end, the main per-machine RC4 key is encrypted with a 1024-bit RSA public key which the malware carries within its payload. The malware author can then send a tailored, per-machine decryptor to folks who pay up.
If you keep backups, you can obviously treat this attack as a simple data loss scenario. And if you don’t have backups and badly need the files back, you have no option but to pay: when used correctly, cryptography works. In their encrypted form and without the RSA private key, the files are as good as garbage. Anti-virus companies have no technological defense against this, can’t make any, and are being appropriately forthcoming:
A security company on Friday asked for help cracking an encryption key central to an extortion scheme that demands money from users whose PCs have been infected by malware. … “Along with antivirus companies around the world, we’re faced with the task of cracking the RSA 1024-bit key,” said Aleks Gostev, a senior virus analyst [at Kaspersky Lab].
See? Completely reasonab… wait, what? Factor the key? Seriously?
Arjen Lenstra and Eric Verheul estimate that, in 2009, a machine that can factor a RSA-1024 key in a day would cost $250 million. With a massive cluster of regular computers, such a computation would take years. And it gets better: 2048-bit RSA keys are considered impractical to factor before the year 2030, while 3072-bit keys are likely to provide protection beyond then. Do you see where this is going?
Even if the present key is factored, it’ll take the malware author mere minutes to generate a stronger one, insert it into the malware payload, and send it on its merry way. And we won’t be able to factor that one.
In fact, focusing on the cryptography in the malware misses the point entirely. What the malware is exposing is the far simpler fact that our desktop security systems are fundamentally broken, as there is no reason that a piece of malware executing silently in the background should have access to a user’s files without interaction or approval. If file access was securely brokered, we wouldn’t have to care about the crypto.
We know how to build desktop systems that are both drastically more secure and more usable than the ones in use today. Prototypes like CapDesk and Polaris demonstrate this on mainstream systems, while my own Bitfrost does so on the OLPC laptops. You won’t see ransomware on the XO-1.
When it comes to Gpcode, factoring the RSA key is the dumbest possible course of action. I know it, the security community knows it, and Kaspersky Lab knows it. It’s a press gambit, and one that I found distasteful at first. But I’ve come around: it grabs headlines, and maybe a proliferation of headline-grabbing, panic-sowing, fear-inducing threats like cryptoviral ransomware is exactly what’s needed to overcome inertia from operating system vendors and finally move us towards a more secure desktop.
Much love, Kaspersky Lab. Let’s go factor some keys.
